What's Happening?
A fake ad-blocking extension named NexShield has been identified as part of a malvertising campaign targeting Chrome and Edge browsers. The extension, which has been removed from the Chrome Web Store,
creates a denial-of-service condition by exhausting browser memory resources, leading to crashes. Upon restart, it displays deceptive pop-ups prompting users to execute malicious commands. The attack, dubbed 'CrashFix,' is linked to a threat actor named 'KongTuke' and involves deploying a remote access tool called ModeloRAT in corporate environments.
Why It's Important?
The use of fake browser extensions to execute ClickFix attacks represents a significant cybersecurity threat, particularly to corporate environments. These attacks can lead to unauthorized access, data breaches, and system disruptions. The incident underscores the importance of vigilance in installing browser extensions and highlights the need for robust cybersecurity measures to protect against such threats.
